Fortinet black logo

Administration Guide

Web content filter

Web content filter

You can control access to web content by blocking webpages containing specific words or patterns. This helps to prevent access to pages with questionable material. You can specify words, phrases, patterns, wildcards, and regular expressions to match content on webpages. You can use multiple web content filter lists and select the best one for each web filter profile.

The maximum number of web content patterns in a list depends on the model of the device. To find the maximum number of web content patterns allowed for a device, go to the Maximum Values Table (https://docs.fortinet.com/max-value-table). Select the software version and models, and click Go. Maximum values are displayed. In the Search box, enter webfilter.content:entries to find the maximum number.

When configuring a web content filter list, the following patterns are available:

Web content pattern type

Description

Wildcard

Use this setting to block or exempt one word or text strings of up to 80 characters. You can also use wildcard symbols such as ? or * to represent one or more characters. For example, a wildcard expression forti*.com matches fortinet.com and fortiguard.com. The * represents any character appearing any number of times.

Regular expression

Use this setting to block or exempt patterns of regular expressions that use some of the same symbols as wildcard expressions, but for different purposes. In regular expressions, * represents the character before the symbol. For example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com. In this case, the symbol * represents i appearing any number of times.

Content evaluation

The web content filter scans the content of every webpage that is accepted by a firewall policy. The system administrator can specify banned words and phrases and attach a numerical value (or score) to the importance of those words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and phrases found on that page. If the sum is higher than a threshold set in the web filter profile, the FortiGate blocks the page.

The default score for web content filter is 10 and the default threshold is 10. This means that by default, a webpage is blocked by a single match. These settings can only be configured in the CLI.

Banned words or phrases are evaluated according to the following rules:

  • The score for each word or phrase is counted only once, even if that word or phrase appears many times in the webpage.
  • The score for any word in a phrase without quotation marks is counted.
  • The score for a phrase in quotation marks is counted only if it appears exactly as written.

The following table is an example of how rules are applied to the webpage contents . For example, a webpage contains only this sentence:

The score for each word or phrase is counted only once, even if that word or phrase appears many times in the webpage.

Banned pattern

Assigned score

Score added to the sum for the entire page

Threshold score

Comment

word

20

20

20

Appears twice but is only counted once. The webpage is blocked.

word phrase

20

40

20

Each word appears twice but is only counted once, giving a total score of 40. The webpage is blocked.

word sentence

20

20

20

word appears twice and sentence does not appear, but since any word in a phrase without quotation marks is counted, the score for this pattern is 20. The webpage is blocked.

"word sentence"

20

0

20

This phrase does not appear exactly as written. The webpage is allowed.

"word or phrase"

20

20

20

This phrase appears twice but is only counted once. The webpage is blocked.

To configure a web content filter in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Static URL Filter section, enable Content Filter.

  3. In the table, click Create New. The New Web Content Filter pane opens.

  4. Configure the following settings:

    Pattern Type

    Regular Expression

    Pattern

    fortinet

    Language

    Western

    Action

    Block

    Status

    Enable

  5. Click OK. The entry appears in the table.

  6. Configure the other settings as needed.

  7. Click OK.

To configure a web content filter in the CLI:
  1. Create the content (banned word) table:

    config webfilter content
       edit 1
          set name "webfilter"
          config entries
             edit "fortinet"
               set pattern-type regexp
               set status enable
               set lang western
               set score 10
               set action block
             next
          end
       next
    end
  2. Apply the content table to the web filter profile:

    config webfilter profile
       edit "webfilter"
          config web
             set bword-threshold 10
             set bword-table 1
          end
          config ftgd-wf
             unset options
          end
       next
    end
To verify the content filter:
  1. Go to a website with the word fortinet, such as www.fortinet.com.

    The website is blocked and a replacement page displays:

Web content filter

You can control access to web content by blocking webpages containing specific words or patterns. This helps to prevent access to pages with questionable material. You can specify words, phrases, patterns, wildcards, and regular expressions to match content on webpages. You can use multiple web content filter lists and select the best one for each web filter profile.

The maximum number of web content patterns in a list depends on the model of the device. To find the maximum number of web content patterns allowed for a device, go to the Maximum Values Table (https://docs.fortinet.com/max-value-table). Select the software version and models, and click Go. Maximum values are displayed. In the Search box, enter webfilter.content:entries to find the maximum number.

When configuring a web content filter list, the following patterns are available:

Web content pattern type

Description

Wildcard

Use this setting to block or exempt one word or text strings of up to 80 characters. You can also use wildcard symbols such as ? or * to represent one or more characters. For example, a wildcard expression forti*.com matches fortinet.com and fortiguard.com. The * represents any character appearing any number of times.

Regular expression

Use this setting to block or exempt patterns of regular expressions that use some of the same symbols as wildcard expressions, but for different purposes. In regular expressions, * represents the character before the symbol. For example, forti*.com matches fortiii.com but not fortinet.com or fortiice.com. In this case, the symbol * represents i appearing any number of times.

Content evaluation

The web content filter scans the content of every webpage that is accepted by a firewall policy. The system administrator can specify banned words and phrases and attach a numerical value (or score) to the importance of those words and phrases. When the web content filter scan detects banned content, it adds the scores of banned words and phrases found on that page. If the sum is higher than a threshold set in the web filter profile, the FortiGate blocks the page.

The default score for web content filter is 10 and the default threshold is 10. This means that by default, a webpage is blocked by a single match. These settings can only be configured in the CLI.

Banned words or phrases are evaluated according to the following rules:

  • The score for each word or phrase is counted only once, even if that word or phrase appears many times in the webpage.
  • The score for any word in a phrase without quotation marks is counted.
  • The score for a phrase in quotation marks is counted only if it appears exactly as written.

The following table is an example of how rules are applied to the webpage contents . For example, a webpage contains only this sentence:

The score for each word or phrase is counted only once, even if that word or phrase appears many times in the webpage.

Banned pattern

Assigned score

Score added to the sum for the entire page

Threshold score

Comment

word

20

20

20

Appears twice but is only counted once. The webpage is blocked.

word phrase

20

40

20

Each word appears twice but is only counted once, giving a total score of 40. The webpage is blocked.

word sentence

20

20

20

word appears twice and sentence does not appear, but since any word in a phrase without quotation marks is counted, the score for this pattern is 20. The webpage is blocked.

"word sentence"

20

0

20

This phrase does not appear exactly as written. The webpage is allowed.

"word or phrase"

20

20

20

This phrase appears twice but is only counted once. The webpage is blocked.

To configure a web content filter in the GUI:
  1. Go to Security Profiles > Web Filter and click Create New, or edit an existing profile.

  2. In the Static URL Filter section, enable Content Filter.

  3. In the table, click Create New. The New Web Content Filter pane opens.

  4. Configure the following settings:

    Pattern Type

    Regular Expression

    Pattern

    fortinet

    Language

    Western

    Action

    Block

    Status

    Enable

  5. Click OK. The entry appears in the table.

  6. Configure the other settings as needed.

  7. Click OK.

To configure a web content filter in the CLI:
  1. Create the content (banned word) table:

    config webfilter content
       edit 1
          set name "webfilter"
          config entries
             edit "fortinet"
               set pattern-type regexp
               set status enable
               set lang western
               set score 10
               set action block
             next
          end
       next
    end
  2. Apply the content table to the web filter profile:

    config webfilter profile
       edit "webfilter"
          config web
             set bword-threshold 10
             set bword-table 1
          end
          config ftgd-wf
             unset options
          end
       next
    end
To verify the content filter:
  1. Go to a website with the word fortinet, such as www.fortinet.com.

    The website is blocked and a replacement page displays: